In summary, Microsoft Advanced Threat Analytics (ATA) is a security product that helps to protect an enterprise network from advanced forms of cyberattack. ATA gathers information from Windows logs and uses deep packet inspection techniques to evaluate trends in network traffic to and from domain controllers and the behavior of users, devices, and resources. This way, ATA can detect suspicious activity generated by the various phases of an attack and generate alerts that specify the type of attack that might be in progress and the systems that are involved.

ATA Center is the focal point of the ATA product, and requires a dedicated server known as the ATA Center. This computer is the receiver of the information gathered from your domain controllers, and the place
where the threat analysis occurs.

The ATA product also supports two types of gateways, as follows:

ATA Gateway runs on a standalone server and gathers information from domain controllers using port mirroring and event forwarding.

Both gateway types perform many of the same functions. The standalone ATA Gateway can service multiple domain controllers, up to a maximum of 50,000 packets per second of domain controller traffic. However, the ATA Lightweight Gateways service only the domain controllers on which they are installed, and support up to 10,000 packets per second.

In my environment, I have AD installed on Windows Server Core and I am leveraging the ATA Lightweight Gateway. The ATA architecture looks something like this:

As the network start growing, I decided to move the ATA Gateway to a dedicated server instead of using the Lightweight approach.

The new ATA architecture looks something like this:

In this scenario, I need to uninstall the ATA Lightweight Gateway service from the domain controller. And since I am using Windows Server Core, we don’t have Programs and Features applet (appwiz.cpl) to uninstall the program.

Uninstall ATA Lightweight Gateway

To check the list of installed applications on Windows Server Core, you can run the following PowerShell command:

Get-WmiObject

PowerShell

1

Get-WmiObjectWin32_Product|Format-List

By default, you can see all the list of installed applications in the Registry located under the following path:

This command uses the Get-ChildItem cmdlet to show all items directly within Windows PowerShell drive HKLM:, which corresponds to the HKEY_LOCAL_MACHINE registry hive. It pipes the output to the Get-ItemProperty cmdlet to view the registry entries in a more readable form. Then, it pipes the results to the Where-Object cmdlet, which filter the Windows PowerShell-related properties and display only “Microsoft Advanced Threat Analytics Gateway” details.

Note the key properties “UninstallString” and “QuietUninstallString“ in the screenshot above.

To uninstall the ATA Gateway, you need to copy the value of “UninstallString” or “QuietUninstallString“ and run it in an elevated command prompt and then press Enter.

Like this:

Charbel Nemnom is a Microsoft Cloud Solutions Architect, totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 15 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

Follow Me

About Me

My Name is Charbel Nemnom. Microsoft MVP. I work as a Cloud Solutions Architect for itnetX AG, a consulting and engineering company located in Switzerland.
I focus on Microsoft technologies, especially Cloud and Datacenter Management solutions based on Windows Server, System Center, Microsoft Virtualization, Microsoft Azure and Azure Stack.

Microsoft MVP Profile

Charbel’s Badges

Search for:

Subscribe to This Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.